airflow
Contributor
- Joined
- May 29, 2014
- Messages
- 111
Hi,
I've a question regarding networking within a FreeNAS-system (especially when using jails).
Each day I get a mail (security run output) with lots of messages like these:
I investigated a little what's happening here. I didn't find any discussion/explanation on the internet, but my own findings are: Every jail of FreeNAS creates a pair of virtual interfaces epair<n>a (in the main-system) and epair<n>b (in the jail), where <n> is the number of the jail. epair<n>b is the interface where the IP of the jail is configured. Additionaly, there is a bridge0, which connects all epair<n>a and the physical interface (em0 in my case). Obviously, there must also be some logical connection between epair<n>a and epair<n>b, but i didn't find any virtual bridges that connect these two. I guess that's happening in the setup of the jails somewhere.
Nevertheless, in my understanding the jails and the mainsystem are connected via a virtual bridge. Bridges forward packets by looking at MAC-adresses, but they do not rewrite them. So all IPs used are in the same subnet, there is no routing involved.
The messages above indicate that there is MAC-flipping of the IP of the main-system (172.22.2.2). When I look at these messages closely, I see that it's always a flip from the MAC of an epair<n>a to the real MAC within in the main-system (em0, which has ac:22:0b:4f:44:ea). When I test from one of the jails, I see that ARP-resolution for the IP of the main-system (172.22.2.2) always resolves the the MAC of the corresponding epair<n>a-interface. This is not what I would expect, I would expect it to resolve to the MAC of em0, where this IP really lives. By the way, IP-adresses that live outside the FreeNAS-system (but still within the same subnet) are correctly resolved, also within the jails.
So for some reason the IP of the main-system does resolve differently within the jails. But even if I just accept this, there is still the question why does the system think that there is MAC-flipping? There is no MAC-flipping within any jail (or the main-system), so far I have checked it seems to stay consistent. Also, it's always the move from epair<n>a's MAC to em0's MAC - never the other direction! So what is really happening here? And can I prevent these messages, as they clog the security output with these unnecessary info and keep me from spotting the real interesting/important stuff?
Thanks,
airflow
I've a question regarding networking within a FreeNAS-system (especially when using jails).
Each day I get a mail (security run output) with lots of messages like these:
Code:
fractal.hetzendorf.local kernel log messages: > arp: 172.22.2.2 moved from 02:47:2f:00:08:0a to ac:22:0b:4f:44:ea on epair1b > arp: 172.22.2.2 moved from 02:5a:0e:00:0d:0a to ac:22:0b:4f:44:ea on epair6b > arp: 172.22.2.2 moved from 02:5a:0e:00:0d:0a to ac:22:0b:4f:44:ea on epair6b > arp: 172.22.2.2 moved from 02:5a:0e:00:0d:0a to ac:22:0b:4f:44:ea on epair6b > arp: 172.22.2.2 moved from 02:5a:0e:00:0d:0a to ac:22:0b:4f:44:ea on epair6b > arp: 172.22.2.2 moved from 02:47:2f:00:08:0a to ac:22:0b:4f:44:ea on epair1b > arp: 172.22.2.2 moved from 02:c7:9b:00:0a:0a to ac:22:0b:4f:44:ea on epair3b > arp: 172.22.2.2 moved from 02:c7:9b:00:09:0a to ac:22:0b:4f:44:ea on epair2b > arp: 172.22.2.2 moved from 02:8c:47:00:0c:0a to ac:22:0b:4f:44:ea on epair5b > arp: 172.22.2.2 moved from 02:5a:0e:00:0d:0a to ac:22:0b:4f:44:ea on epair6b [loads of similar lines] -- End of security output --
I investigated a little what's happening here. I didn't find any discussion/explanation on the internet, but my own findings are: Every jail of FreeNAS creates a pair of virtual interfaces epair<n>a (in the main-system) and epair<n>b (in the jail), where <n> is the number of the jail. epair<n>b is the interface where the IP of the jail is configured. Additionaly, there is a bridge0, which connects all epair<n>a and the physical interface (em0 in my case). Obviously, there must also be some logical connection between epair<n>a and epair<n>b, but i didn't find any virtual bridges that connect these two. I guess that's happening in the setup of the jails somewhere.
Nevertheless, in my understanding the jails and the mainsystem are connected via a virtual bridge. Bridges forward packets by looking at MAC-adresses, but they do not rewrite them. So all IPs used are in the same subnet, there is no routing involved.
The messages above indicate that there is MAC-flipping of the IP of the main-system (172.22.2.2). When I look at these messages closely, I see that it's always a flip from the MAC of an epair<n>a to the real MAC within in the main-system (em0, which has ac:22:0b:4f:44:ea). When I test from one of the jails, I see that ARP-resolution for the IP of the main-system (172.22.2.2) always resolves the the MAC of the corresponding epair<n>a-interface. This is not what I would expect, I would expect it to resolve to the MAC of em0, where this IP really lives. By the way, IP-adresses that live outside the FreeNAS-system (but still within the same subnet) are correctly resolved, also within the jails.
So for some reason the IP of the main-system does resolve differently within the jails. But even if I just accept this, there is still the question why does the system think that there is MAC-flipping? There is no MAC-flipping within any jail (or the main-system), so far I have checked it seems to stay consistent. Also, it's always the move from epair<n>a's MAC to em0's MAC - never the other direction! So what is really happening here? And can I prevent these messages, as they clog the security output with these unnecessary info and keep me from spotting the real interesting/important stuff?
Thanks,
airflow